Configuring ports for firewall traversal
Ports play a vital part in firewall traversal configuration. The correct ports must be set on the VCS
Expressway, traversal client and firewall in order for connections to be permitted.
Ports are initially configured on the VCS Expressway by the VCS Expressway administrator. The firewall
administrator and the traversal client administrator should then be notified of the ports, and they must
configure their systems to connect to these specific ports on the server. The only port configuration required
on the traversal client is the range of ports it uses for outgoing connections; the firewall administrator may
need to know this information so that if necessary they can configure the firewall to allow outgoing
connections from those ports.
The
Port usage [p.311]
pages (under
Maintenance > Tools > Port usage
) list all the IP ports that are being
used on the VCS, both inbound and outbound. This information can be provided to your firewall administrator
so that the firewall can be configured appropriately.
When Advanced Networking is enabled, all ports configured on the VCS, including those relating to firewall
traversal, apply to both IP addresses; you cannot configure ports separately for each IP address.
The Expressway solution works as follows:
1. Each traversal client connects via the firewall to a unique port on the VCS Expressway.
2. The server identifies each client by the port on which it receives the connection, and the authentication
credentials provided by the client.
3. After the connection has been established, the client regularly sends a probe to the VCS Expressway to
keep the connection alive.
4. When the VCS Expressway receives an incoming call for the client, it uses this initial connection to send
an incoming call request to the client.
5. The client then initiates one or more outbound connections. The destination ports used for these
connections differ for signaling and/or media, and depend on the protocol being used (see the following
sections for more details).
Configuring the firewall
For Expressway firewall traversal to function correctly, your firewall must be configured to:
n
allow initial outbound traffic from the client to the ports being used by the VCS Expressway
n
allow return traffic from those ports on the VCS Expressway back to the originating client
Note:
we recommend that you turn off any H.323 and SIP protocol support on the firewall: these are not
needed in conjunction with the Expressway solution and may interfere with its operation.
Configuring traversal server ports
The VCS Expressway has specific listening ports used for firewall traversal. Rules must be set on your
firewall to allow connections to these ports. In most cases the default ports should be used. However, you
have the option to change these ports if necessary by going to the
Ports
page (
Configuration > Traversal >
Ports
).
The configurable ports are:
Cisco VCS Administrator Guide (X8.1.1)
Page 58 of 507
Firewall traversal
Configuring ports for firewall traversal